Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Distinguishing immutable from mutable actions as a consumer #216

Open
spencerschrock opened this issue Nov 14, 2024 · 2 comments
Open

Distinguishing immutable from mutable actions as a consumer #216

spencerschrock opened this issue Nov 14, 2024 · 2 comments

Comments

@spencerschrock
Copy link

The README shows the following example for consuming an immutable action:

Consumers of your action will then be able to specify that version to consume your action from the package, e.g.

This is indistinguishable from the existing syntax for mutable actions, which I assume is for backwards compatibility reasons.

Is there anyway for a consumer or analysis tool to know what security guarantees to expect from an action (e.g. if pinning to a SHA is necessary for immutability)?
@dungdm93
Copy link

dungdm93 commented Dec 9, 2024
edited
Loading

My suggestion is using OCI image name syntax like ghcr.io/actions/setup-node:4.1.0 for immutable actions, notable:

  • domain name ghcr.io is included. This is really helpful if the action author prefer using custom registry.
  • : to separate between image and tag (instead of @)

@spencerschrock spencerschrock mentioned this issue Dec 17, 2024
Open
@JamieMagee
Copy link

With the current syntax it's not possible to determine if it's an action is immutable or not from only the YAML. However, we can query the GitHub Container Registry to see if an OCI artifact with the action's name exists. If yes, it's an immutable action. If no, it's a classic/traditional/mutable action.

For example:

ghcr.io/docker/build-push-action 
$ skopeo list-tags docker://ghcr.io/docker/build-push-action
{
    "Repository": "ghcr.io/docker/build-push-action",
    "Tags": [
        "sha256-b7324fe2c2fa52c715de1af8dbd0fd07cc8a0da6e66e4838ad324007f73d212e",
        "1.0.0",
        "sha256-c49312d36e048509b1d65fbba1df16efb0b39f612afe1e76fdd17b5d6220c440",
        "1.0.1",
        "sha256-e1d61a3071a1ae99e62aa3d694b3a3b1cecc3784158001a76b3fbae39bddcd50",
        "1.1.0",
        "sha256-7e8356f0eb2ba26ca0551c0548639685c7e60637142dd0da0232828237f23f19",
        "1.1.1",
        "sha256-ecdfb87cd9d0647f26ef740ee862402568a42a6bee7231a61c3118a0221be6e1",
        "2.0.0",
        "sha256-8c088778f90789272e40d511ee5a57a5b97517746a1b3e9ced3066db196eacdb",
        "2.0.1",
        "sha256-61ce51321b9a6698581d146c72eecf768a5fb0c3b3e5978e7c2422ba0330722f",
        "2.1.0",
        "sha256-30f892c3744291189f82d3f723fad2f87771c76c2e62400752edb1eb0aa07037",
        "2.2.0",
        "sha256-30a5bbf2fe3f664b61f8769b628a169ba5755e2c27dc00c4025e390f55165520",
        "2.2.1",
        "sha256-a37ec1e9af08ece6b12e69eae7b9342f424eaf0316754012a26f827ab6cf1c5d",
        "2.2.2",
        "sha256-bcacd65c05e37dea37aa3b1e43013c6aa087ff674e60e6b9576d68c5f34cf6e5",
        "2.3.0",
        "sha256-50d740383d4d8384927ee93b2483a916855ea1c5e48a64560dfef8e0cade73cf",
        "2.4.0",
        "sha256-b042b1b13cadb9f5e2783c0760dfcbe326f1ef089d8525f847996ff3f99654fb",
        "2.5.0",
        "sha256-6f6c1e432fca71c18521aadd8505b564f799bf77d822da642a63c0d7c196eb58",
        "2.6.0",
        "sha256-7818e3d871ca8189adb341e1ade3ad092469655949a7024c86443202ee593ef4",
        "2.6.1",
        "sha256-0b00aabe82707fc53ef9a2ebf5649766770b660f117b2b4d8413c18e9de37865",
        "2.7.0",
        "sha256-053a56abe564eba5d787f4bc09499bd74ba22162ed0fe49efefc17b39bebea0c",
        "2.8.0",
        "sha256-9be9ce29c09c7256c3aa0a94b3f2c8af70fbb067e40712324c4f907d56492a82",
        "2.9.0",
        "sha256-81ee22cf05cf1d8c766b5a9eeecf205efe208d3c113c8c3d5a55deb952dd9fde",
        "2.10.0",
        "sha256-bd4e4cef98a9515cd94c1550045fda383d3e8612ac22919d383467b544320cf8",
        "3.0.0",
        "sha256-a74029b103946385ba6e502751b2c2a583d50d72258ddbe21e773b1ae8fd509c",
        "3.1.0",
        "sha256-fdb02f71027ea852206beffdc8ad4b0622776d67443f819612164fc90cdbec9a",
        "3.1.1",
        "sha256-ebb7d6a8be90e0fa733ba2339d6b4871bb761d488c5a2afd42d8014e09bcae05",
        "3.2.0",
        "sha256-68f42c9c8f5ae4f0d30f79c1f0324892859fb1be6ccedbc000fc1068ae076f60",
        "3.3.0",
        "sha256-026e7e0f20a1f9c3469fbb5bcc2fb87eba2577aa0104ade32fe7aa48ae6c0099",
        "3.3.1",
        "sha256-2217e98b66966d6ac36a684c4f522fbdacdadb1455703dc8b057537536a60614",
        "4.0.0",
        "sha256-b6347b8aadfb9b0ceac5fcfaacf8edec7efe82e07729f6903e7c084c019daff7",
        "4.1.0",
        "sha256-30e0f99d47d27e98136e88e2e6209d142af440d459df5b0a0d032f575ca4a2d5",
        "4.1.1",
        "sha256-7215ef75c05505f3850abfb511008c248286feaa9e4fff324723bfafb7b6acaf",
        "4.2.0",
        "sha256-295ced658312cfbe602d510dde94b23d332ec7b392ba1ce218956952bcec0d6e",
        "4.2.1",
        "sha256-cb4ff93a053841381f4bea5dda9362a9aa5540a72535e72820e021f590131f8f",
        "5.0.0",
        "sha256-9f64976a42513a6f8ff59c505940bdd30711c7616fe968ba23b529ad8bba6efc",
        "5.1.0",
        "sha256-b9102cf309a84be262887a9491d9dbaf9d8d73148935befa778ea9820f0b095f",
        "5.2.0",
        "sha256-39ddef935e79bc24eea30e2505a10742405425e5862e9b96f8863adfc5c2431f",
        "5.3.0",
        "sha256-b1eb22c8ac697d9d0cdfecd96982afc33f5bf7897b1a76f89fd6cb58e9f98e3e",
        "5.4.0",
        "sha256-612bf2dedb05068d83f30836cee0292ec5674007977d10caea8f88328165f2da",
        "6.0.0",
        "sha256-79eeba624b1806070255aa77f10ea552ff9f92ba88f5e16b877361ee439c51b9",
        "6.0.1",
        "sha256-3d05ac89e3b690afd93612757ce42ab3cbf4913e5c095e4fb9401a3b56e26b75",
        "6.0.2",
        "sha256-a81f2bc98975600bd34a48d140bd8d4846039e3b8e58e2091eb7c50b20ba1138",
        "6.1.0",
        "sha256-78ae16082d6e7c36c9f7e75f755ba0e6f0cd72e99191385d34ef7225b9276d7b",
        "6.2.0",
        "sha256-a24370bc534f3bfd61147f4d7efc4ce209d04deab19e98941e1f9778d65aaac3",
        "6.3.0",
        "sha256-101dbcc42eea1752dfcb75418249a839323ac457b688d0bd45ecfc9cc59891c2",
        "6.4.0",
        "sha256-ba7fb313d55283c28720c23911abf8594efc142d90477c1e60e7250af5c400b0",
        "6.4.1",
        "sha256-c51b2cfad2eb3b36ac963110cf5f1d7023ee5d8e2f4bfc19b0fdad2204ad2273",
        "6.5.0",
        "sha256-98ab40514a705cb1826cfb17ade8dc0fa84b37d7d403a9b579c82548a339e11f",
        "6.6.0",
        "sha256-d6188bb17a653794553636f8b7ce753c98c9d6584c19cbc9b5e85836fe93efd9",
        "6.6.1",
        "sha256-7fe7e9147235b4456a04d1ecf972e53a598f34981689cb7a2c313c0b0e8560b5",
        "6.7.0",
        "sha256-4d20d563488e3489b2672d81261898cf14aa80922227008ceffcb9b7c4f0d0b8",
        "6.8.0",
        "sha256-aa781eae03718581863e1ce55e87011e705167abc0619fb535b4db2c9bd1c2e4",
        "6.9.0",
        "sha256-1d11e378240280c23d31208bec8cfb436f0330c0314007a23b76240298e0ba9e",
        "6.10.0"
    ]
}

$ skopeo inspect --raw docker://ghcr.io/docker/build-push-action:6.10.0 | jq
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
  "artifactType": "application/vnd.github.actions.package.v1+json",
  "config": {
    "mediaType": "application/vnd.oci.empty.v1+json",
    "size": 2,
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
  },
  "layers": [
    {
      "mediaType": "application/vnd.github.actions.package.layer.v1.tar+gzip",
      "size": 3416926,
      "digest": "sha256:38f37951e1eab2e18b767482353020c2f376e7d7387019aee4f9c7846c1ef2d8",
      "annotations": {
        "org.opencontainers.image.title": "docker-build-push-action_6.10.0.tar.gz"
      }
    },
    {
      "mediaType": "application/vnd.github.actions.package.layer.v1.zip",
      "size": 4029682,
      "digest": "sha256:2eef1dfbf9a8e82c987f74a130b03b9d2c4e6b8388cf0d5186a4c646e108f7be",
      "annotations": {
        "org.opencontainers.image.title": "docker-build-push-action_6.10.0.zip"
      }
    }
  ],
  "annotations": {
    "org.opencontainers.image.created": "2024-11-26T10:50:01.060Z",
    "action.tar.gz.digest": "sha256:38f37951e1eab2e18b767482353020c2f376e7d7387019aee4f9c7846c1ef2d8",
    "action.zip.digest": "sha256:2eef1dfbf9a8e82c987f74a130b03b9d2c4e6b8388cf0d5186a4c646e108f7be",
    "com.github.package.type": "actions_oci_pkg",
    "com.github.package.version": "6.10.0",
    "com.github.source.repo.id": "241092383",
    "com.github.source.repo.owner.id": "5429470",
    "com.github.source.commit": "48aba3b46d1b1fec4febb7c5d0c644b249a11355"
  }
}

Specifically, we'd be looking to see that the artifactType is application/vnd.github.actions.package.v1+json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JamieMagee @spencerschrock @dungdm93